org.keycloak:keycloak-services 26.2.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-services package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Validation of Certificate with Host Mismatch org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability. Note: The `ANY` mode should not be used in production. How to fix Improper Validation of Certificate with Host Mismatch? Upgrade `org.keycloak:keycloak-services` to version 26.2.2 or higher.	[,26.2.2)
M Improper Authentication org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability. How to fix Improper Authentication? Upgrade `org.keycloak:keycloak-services` to version 26.2.2 or higher.	[,26.2.2)
M Allocation of Resources Without Limits or Throttling org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens. How to fix Allocation of Resources Without Limits or Throttling? There is no fixed version for `org.keycloak:keycloak-services`.	[0,)

Vulnerability

Vulnerable Version

Improper Validation of Certificate with Host Mismatch

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when setting the verification policy to 'ALL'. This is supposed to skip hostname check but an unintended side effect is skipping trust store certificate verification. An attacker can read sensitive data from the system and perform spoofing or redirection attacks by exploiting this vulnerability.

Note:

The ANY mode should not be used in production.

How to fix Improper Validation of Certificate with Host Mismatch?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

[,26.2.2)

Improper Authentication

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Improper Authentication. An attacker can circumvent required actions configured by an administrator such as setting up 2FA by using AIA (Application-initiated actions). If a user account has been required by an administrator to perform a required action, the same user can pass in a URL parameter during the sign in process to exploit this vulnerability.

How to fix Improper Authentication?

Upgrade org.keycloak:keycloak-services to version 26.2.2 or higher.

[,26.2.2)

Allocation of Resources Without Limits or Throttling

org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when caching JWT tokens, which are not limited in their expiration time. An attacker can cause the consumption of excessive memory by sending malicious JWT tokens.

How to fix Allocation of Resources Without Limits or Throttling?

There is no fixed version for org.keycloak:keycloak-services.

[0,)

org.keycloak:keycloak-services@26.2.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?